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Abstract 

The next bit test was introduced by Blum and Micali and proved by Yao to be a universal test for 
cryptographic pseudorandom generators. On the other hand, no universal test for the cryptographic one- 
wayness of functions (or permutations) is known, though the existence of cryptographic pseudorandom 
generators is equivalent to that of cryptographic one-way functions. In the quantum computation model, 
Kashefi, Nishimura and Vedral gave a sufficient condition of (cryptographic) quantum one-way permutations 
and conjectured that the condition would be necessary. In this paper, we affirmatively settle their conjecture 
and complete a necessary and sufficient for quantum one-way permutations. The necessary and sufficient 
condition can be regarded as a universal test for quantum one-way permutations, since the condition is 
described as a collection of stepwise tests similar to the next bit test for pseudorandom generators. 

1 Introduction 



One-way functions are functions / such that, for each x, f{x) is efficiently computable but, only for a negligible 
fraction of y, f~^(y) is computationally tractable. While the modern cryptography depends heavily on one- 
way functions, the existence of one-way functions is one of the most important open problems in theoretical 
computer science. On the other hand, Shor 1 12] showed that famous candidates of one-way functions such as 
the RSA function or the discrete logarithm function are no longer one-way in the quantum computation model. 
Nonetheless, some cryptographic applications based on quantum one-way functions have been considered (see, 
e.g., 11 51). 

As a cryptographic primitive other than one-way functions, pseudorandom generators have been studied 
well. Blum and Micali [3| proposed how to construct pseudorandom generators from one-way permutations 
and introduced the next bit test for pseudorandom generators. (They actually constructed a pseudorandom 
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generator assuming the hardness of the discrete logarithm problem.) Since Yao fT^ proved that the next bit test 
is a universal test for pseudorandom generators, the Blum-Micali's construction paradigm of pseudorandom 
generators from one-way permutations was accomplished. In the case of pseudorandom generators based on 
one-way permutations, the next bit unpredictabihty can be proved by using the hard-core predicates for one- 
way permutations. After that, Goldreich and Levin f6\ showed that there exists a hard-core predicate for any 
one-way function (and also permutation) and Hastad et al. |9| showed that the existence of pseudorandom 
generators is equivalent to that of one-way functions. 

Yao's result on the universality of the next bit test assumes that any bits appeared in pseudorandom bits are 
computationally unbiased. Schrift and Shamir lITTl extended Yao's result to the biased case and proposed uni- 
versal tests for nonuniform distributions. On the other hand, no universal test for the one-wayness of a function 
(or a permutation) is known, although pseudorandom generators and one-way functions (or permutations) are 
closely related. 

In the quantum computation model, Kashefi, Nishimura and Vedral flOl gave a necessary and sufficient 
condition for the existence of worst-case quantum one-way permutations. They also considered the crypto- 
graphic (i.e., average-case) quantum one-way permutations and gave a sufficient condition of (cryptographic) 
quantum one-way permutations. They also conjectured ffiat the condition would be necessary. Their conditions 
are based on the efficient implementability of reflection operators about some class of quantum states. Note 
that the reflection operators are successfully used in the Grover's algorithm O and the quantum amplitude 
amplification technique Pl. To obtain a sufficient condition of cryptographic quantum one-way permutations, 
a notion of "pseudo identity" operators was introduced 1 10 1. Since the worst-case hardness of reflection oper- 
ators is concerned with the worst-case hardness of the inversion of the permutation /, we need some technical 
tool with which the inversion process of / becomes tolerant of some computational errors in order to obtain 
a sufficient condition of cryptographic quantum one-way permutations. Actually, pseudo identity operators 
permit of exponentially small errors during the inversion process 1101 . 

In this paper, we complete a necessary and sufficient condition of cryptographic quantum one-way permu- 
tations conjectured in [T(T|. We incorporate their basic ideas with a probabilistic argument in order to obtain 
a technical tool to permit of polynomially small errors during the inversion process. Roughly saying, pseudo 
identity operators are close to the identity operator in a sense. The similarity is defined by an intermediate 
notion between the statistical distance and the computational distance. In [10|, it is "by upper-bounding the 
similarity" that the sufficient condition of cryptographic quantum one-way permutations was obtained. By us- 
ing a probabilistic argument, we can estimate the expectation of the similarity and then handle polynomially 
small errors during the inversion of the permutation /. 

Moreover, the necessary and sufficient condition of quantum one-way permutations can be regard as a 
universal test for the quantum one-wayness of permutations. To discuss universal tests for the one-wayness of 
permutations, we briefly review the universality of the next bit test for pseudorandom generators. Let g{x) be 
a length-regular deterministic function such that g{x) is of length €{n) for any x of length n. The universality 
of the next bit test says that we have only to check a collection of stepwise polynomial-time tests T\,..., Ti(n) 
instead of considering all the polynomial-time tests that try to distinguish the truly random bits from output bits 
from g, where each T, is the test whether, given the (/ - l)-bits prefix of g{x) (and the value of ^(UD), the /-th 
bit of g{x) is predictable or not with probability non-negligibly higher than 1/2. Our necessary and sufficient 
condition of quantum one-way permutations says that the quantum one-wayness of a given permutation / can 
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be checked by a collection of stepwise tests T'^,..., T'^ instead of considering all the tests of polynomial-size 
quantum circuit, where each T'. is the test whether, given some quantum state qi-i that can be defined by using 
the (/ - l)-bits prefix of fix), some other quantity is computable with polynomial-size quantum circuit or not 
and the next state qi can be determined from and f,. In this sense, our universal test for quantum one-way 
permutations is analogous to the universal test (i.e., the next bit test) for pseudorandom generators. 



2 Preliminaries 

We say that a unitary operator (on n qubits) is easy if there exists a quantum circuit implementing U with 
polynomial size in n and a set 9^ of unitary operators is easy if every U e is easy. Throughout this paper, 
we assume that / : {0, 1)* |0, 1)* is a length-preserving permutation unless otherwise stated. Namely, for 
any x € {0, 1)", f{x) is an n-bits string and the set {/(x) : x e {0, 1)") is of cardinality 2" for every n. First, we 
mention some useful operators in describing the previous and our results. The tagging operators Oj are defined 
as follows: 

_ J -|X>|3;> if f(y)(2j,2j+l) = H2j,2j+l) 
\\x)\y) if /Cy)(2y,27+1) * H2j,2M) 

where y^ij^ denotes the substring from the /-th bit to the j-th bit of the bit string y. Note that these unitary 
operators Oj are easy. Next, we consider the reflection operators Qjif) as follows: 



0;|x>|3;> 



jce{0,l)'' 

where 



(See Fig. 1 for the reflection operator.) We sometimes use the notation Qj instead of Qjif)- 




Fig. 1: Reflection operator 



Actually, these reflection operators are somewhat special for our purpose. In general, reflection operators 
are commonly and successfully used in the Grover's algorithm 1 8 1 and the quantum amplitude amplification 
technique t4J. 
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Theorem 2.1 (Kashefi, Nishimura and Vedral fTUl ) Let f : {0, 1}" {0, 1}" be a permutation. Then f is 
worst-case quantum one-way if and only if the set Tn = {2//)}j=o,i,...,f-i of unitary operators is not easy. 

As a part of the proof of Theorem 12. II Kashefi, Nishimura and Vedral fW\ give a quantum algorithm (we 
call Algorithm INV in what follows) computing f~^ by using unitary operators Oj and Qj. The initial input 
state to INV is assumed to be 

ve{0,l)" 

where INV trys to compute /"'(x). Then INV performs the following steps: 

foreach 7 = to | - 1 

(step W.j.1 ) Apply Oj to the first and the second registers; 
(step W.j.2) Apply Qj to the first and the second registers. 

After each step, we have the following: 

V2^|(A;,x> - 2 



2J 

(the state after step W.j.1 ) = —=\x) 

Y2" 



>':/(>')(l,2j+2)=^(l,2j+2) , 



2 ^'^^ 

(the state after step W.j.2) ^ — =|x> V \y). 

' >':/Cy)(1.2j+2)=^(1.2j+2) 

Before reviewing a known sufficient condition of cryptographic quantum one-way permutations, we define 
two types of cryptographic "one-wayness" in the quantum computational setting. 

Definition 2.1 A permutation / is weakly quantum one-way if the following conditions are satisfied: 

1. / can be computed by a polynomial size quantum circuit (and whenever inputs are classical the corre- 
sponding outputs must be classical). 

2. There exists a polynomial ;?(•) such that for every polynomial size quantum circuit A and all sufficiently 
large «'s, 

Pr[A(/(t/„)) ^ [/„] > ^ 



where Un is the uniform distribution over {0, 1)". 

Definition 2.2 A permutation / is strongly quantum one-way if the following conditions are satisfied: 

1 . / can be computed by a polynomial size quantum circuit (and whenever inputs are classical the corre- 
sponding outputs must be classical). 

2. For every polynomial size quantum circuit A and every polynomial p(-) and all sufficiently large n's, 

1 



Pr[A(/([/„)) = U„] < 



p(n) 
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As in the classical one-way permutations, we can show that the existence of weakly quantum one-way per- 
mutations is equivalent to that of strongly quantum one-way permutations (see, e.g., |7|). Thus, we consider 
the weakly quantum one-way permutations in this paper. While Theorem l2.1l is a necessary and sufficient con- 
dition of worst-case quantum one-way permutations, Kashefi, Nishimura and Vedral | lOJ also gave a sufficient 
condition of cryptographic quantum one-way permutations by using the following notion. 

Definition 2.3 Let d{n) > « be a polynomial in n and 7„ be a d{n)-quhit unitary operator. 7„ is called 
(a(«), &(n))-pseudo identity if there exists a set X„ c {0, 1)" such that \X„\/2" < b{n) and for any z £ |0, 1)" \ X„ 

|l-((z|l(0|2)/n(|Z>l|0>2)l<a(«), 

where |z) i is the ?i-qubit basis state for each z and |0)2 corresponds to the ancillae of d{n) - n qubits. 

The closeness between a pseudo identity operator and the identity operator is measured by a pair of param- 
eters a{n) and b{n). The first parameter a{n) is a measure of a statistical property and the second one b{n) is 
a measure of a computational property. Note that we do not care where each z £ X„ is mapped by the pseudo 
identity operator /„. While we will give a necessary and sufficient condition of quantum one-way permuta- 
tions by using the notion of pseudo identity, we introduce a new notion, which may be helpful to understand 
intuitions of our and previous conditions, in the following. 

Definition 2.4 Let d'{n) > « be a polynomial in n and P„ be a (i'(?i)-qubit unitary operator. P„ is called 
(a(n), &(n))-pseudo reflection (with respect to \^{z))) if there exists a set X„ c |0, 1)" such that |X„|/2" < b{n) 
andforanyz£ {0, ir\X„ 

1 - ((Zli<w|2( ® (2|'A(3')><'A0')I - /)2)<0|3Vn(lz>i|w>2|0>3) < a{n). 

The above definition of pseudo reflection operators is somewhat complicated. Since Fig. 2 illustrates a 
geometrical intuition, it may be helpful to understand the idea of pseudo reflection operators. Let 7„ be a 
(i(«)-qubit (a(?i), ft(?i))-pseudo identity operator. Then (/„ ® Jni^iQj ® ld(n)~n){ln ® Jn) is a {d{n) + ?i)-qubit 
(a'(?i),Zj'(?i))-pseudo reflection operator with respect to \il^j,x), where a'{n) < 2a{n) and b'{n) < 2b{n). These 
estimations of a'{n) and b'{n) are too rough to obtain a necessary and sufficient condition. Rigorously estimating 
these parameters is a main technical issue in this paper. 

Theorem 2.2 (Kashefi, Nishimura and Vedral OHI) Let f bea permutation that can be computed by a polynomial- 
size quantum circuit. If f is not (weakly) quantum one-way, then for any polynomial p and infinitely many n, 
there exist a polynomial rp{n) and a rp{n)-qubit (l/2''^"\ I / p{n))-pseudo identity operator 7„ such that the 
family of pseudo reflection operators 

Tp,n(J) = {{In ® Jn)\Qj(J) ® I,-,{n)-n){In ® ^))i=0,l,...,f -1 

is easy. 

Kashefi, Nishimura and Vedral |10| conjectured that the converse of Theorem 12.21 should still hold and 
proved a weaker version of the converse as follows. 
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Theorem 2.3 (Kashefi, Nishimura and Vedral llOt ) Let fbea permutation that can be computed by a polynomial- 
size quantum circuit. If for any polynomial p and infinitely many n there exist a polynomial rp{n) and a rp{n)- 
qubit {\ /IP'-"^ p{n) /2")-pseudo identity operator J„ such that the family of pseudo reflection operators 

(n)-n){In ® ■/«));=0,l,...,f -1 

is easy, then f is not (weakly) quantum one-way. 




Fig. 2: Pseudo reflection operator 



We mention why it is difficult to show the converse of Theorem l2.2l To prove it by contradiction, all we can 
assume is the existence of a pseudo identity operator. This means that we cannot know how the pseudo identity 
operator is close to the identity operator. To overcome this difficulty, we introduce a probabilistic technique and 
estimate the expected behavior of the pseudo identity operator. Eventually, we give a necessary and sufficient 
condition of the existence of quantum one-way permutations in terms of reflection operators. This says that we 
affirmatively settle their conjecture. 

3 Necessary and Sufficient Condition of Quantum One-way Permutations 

We have a necessary and sufficient condition of cryptographic quantum one-way permutations as follows. 
Theorem 3.1 The following statements are equivalent. 

1. There exists a weakly quantum one-way permutation. 

2. There exists a polynomial-time computable function f satisfying that there exists a polynomial p such that 
for all sufficiently large n's, any polynomial rp{n) and any rp{n)-qubit (l/2^^"\ \ I p{n))-pseudo identity 
operator Jn such that the family of pseudo reflection operators 

Tn,p(J) = f(^n ® Jn)\Qj(J) ® lr,(n)-n){ln ® /«))y=0,l,...,f -1 

is not easy. 
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To grasp the intuition of Theorem l3.1[ Fig 3. may be helpful. Theorem l3.1l can be proved as the combination 
of Theorem 12. 21 and the following theorem. 

Theorem 3.2 Let f be a permutation that can be computed by a polynomial-size quantum circuit. If for any 
polynomial p and infinitely many n there exist a polynomial rp{n) and a rp{n)-qubit (l/2''^"\ \ / p(n))-pseudo 
identity operator J„ such that the family ofpseudo reflection operators 

TnM) = (e//)) = {(In ® Jn)\Qj{f) ® ® /n));=0,l,...,f -1 

is easy, then f is not (weakly) quantum one-way. 



X'. 



-}n\ 



J. 



J.. 



X'- 



-}n 



Fig. 3: Basic operations for the inversion 



Proof. Suppose that for any polynomial p{n), infinitely many n, and some {\I2P^"\ l/;7(n))-pseudo identity 
operator 7„, the family ;Fp,„ of unitary operators is easy. Moreover, let / be a weakly quantum one-way per- 
mutation. By a probabilistic argument, we show that a contradiction follows from this assumption. For more 
detail, we construct an efficient inverter for / using Tp^n and then, if we choose a polynomial p{n) appropriately, 
this efficient inverter can compute x from f{x) for a large fraction of inputs, which violates the assumption that 
/ is a weakly quantum one-way permutation. 

We first construct a polynomial-size algorithm av-INV to invert / by using unitary operations in 
Algorithm av-INV is almost similar to Algorithm INV except the following change: the operator Qj is now 
replaced with Qj. The initial input state to av-INV is also assumed to be 

-^ix>i y ij>2io>3, 

ye|0,l)" 

where \z)\ (resp., |z>2 and \z)z) denotes the first n-qubit (resp., the second n-qubit and the last (jpin) - ?i)-qubit) 
register. 

Algorithm av-INV performs the following steps: 

foreach 7 = to | - 1 

(step j.1 ) Apply Oj to the first and the second registers; 
(step j.2) Apply Qj to all the registers. 
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For analysis of Algorithm av-INV, we use the following functionally equivalent description. (Note that the 
following procedure may not be efficient though the behavior is equivalent to Algorithm av-INV.) 

foreach 7 = to | - 1 



Then, we can prove the following two claims. 

Claim 3.1 Suppose that f is a weakly quantum one-way permutation, i.e., there exists a polynomial r{n) > 1 
such that for every polynomial size quantum circuit A and all sufficiently large n's, Pr [A (/(?/„)) Un] > l/r{n). 



probability at least 1 - \/q^{n). 

Claim 3.2 Let q{n) = p^^^{n)/ ^/in. There are at most 2"/q(n) x's such that Algorithm av-INV cannot compute 
xfrom f{x) with probability at least 1-1 /q^{n). 

The proof of Claim lT^ is delayed and that of Claim lTTl follows immediately from the definition of a weakly 
quantum one-way permutation by a counting argument. 

Recall that we assume that / is a weakly quantum one-way permutation at the beginning of this proof. Now, 
we can set p{n) = 4n^{r{n) + \f, that is, q{n) = r{n) -1- 1 > 2. It follows that (l/r(w) - \/q^{n))/{\ - l/q^in)) > 
l/q{n), which is a contradiction since av-INV is an inverter violating the assumption of a weakly quantum 
one-way permutation /. This implies that / is not weakly quantum one-way. 

In what follows, we present a proof of Claim IT^ to complete the proof of this theorem. 

Proof of Claim l3l2l From the definition of pseudo identity operators, there exists a set X„ c {0, 1}" with 
\Xn\ < 2"lp{n) such that for any yeY„ = {0, 1)" \ X„, 

JnWm = ay\y}2\0h + l<Ay>23, 

where |fv>23-'-l3'>2|0>3 and |1 - ay\ < 

In Algorithm av-INV, we apply 7„ before and after step A.j.3 for each j. The application of 7„ makes an 
error in computation of /"^ We call the vector 7„|i/'> - li/') the error associated to li/'). To measure the effect 
of this error, we use the following lemmas. (Lemma (3.21 itself was stated in lHOl .) We note, in the sequel, the 
norm over vectors is Euclidean. 

Lemma 3.1 Assume that T Q S Q {0, 1)". Then length l(S, T) of the error associated to the state 



(step A.j.1 ) Apply Oj to the first and the second registers; 
(step A.j.2) Apply 7„ to the second and third registers; 
(step A.j.3) Apply Qj to the first and the second registers; 
(step A.j.4) Apply 7,| to the second and third registers. 



Then, there are at least 2' 



{l/r{n) — l/q^{n))/{l — l/q^{n)) x's such that A cannot compute xfrom f{x) with 




satisfies that 




where y{n) is a negligible function in n. 
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Proof. First, we restate the property of the length of the error associated to the state |3')|0> wliich was shown 
in fTOll . The property is that the length is at most ^^^^ if y € F„ and at most liiy e X„. Using this property 
more carefully, we have a more tight bound of 1{S, T) as follows: 

KS,T) = |7„|,A(5,r)>-|(A(5,r)>| 
1 



1 

W\ 

1 



(Jn - I) 



{Jn - I) 



\yeY„n{S\T) yeY„nT yeX„n{S\T) ysX„nT 

l3'>|0>- 2 l3'>IO> 



+- 



\yeY„n(S\T) yeY„nT 
( 

jeX„r\{S\T) yeX„nT 



1 



2] |/„ly>IO> - b>|0>| + 2] |/„b>|0> - |3'>|0>| 

KyeY„n(S\T) yeY„nT 



+ - 



1 



2 \S n Yn 



Jfl 



l3'>|0>- Z l3'>|0> 

yyeX„n{S\T) yeX„nT 
2 



+ 



2 l3'>|0>- E 

veX„n(5\7-) yeX„n7- 



2P(n)/2 ^ ^ 
2 15 n Yn 



V(ix„ n (5 \ T)\ + \x„ n ri) 



2/'(«)/2 ^ 



+ 2- 



15 n x„| 
15 1 



Let yC?!) be the former term in the above inequality. Then 

2 15 n Y„\ 



y{n) 



< — r-TT < 



2p(n)/2 yjj^ 2/'(")/2 2" 



and is negligible. 



Lemma 3.2 Let J„\ifj{S,T)) = a\ifj{S,T)) + \iIj{S,T)^), where \il/{S ,T))1.\iIj{S ,T)^). Then, \\^{S,T)^)\ < 
KS,T). 

By using Lemma ini and Lemma lT^ we consider the effect of the additional applications of pseudo identity 
operators to INV in order to analyze Algorithm av-INV. 

For each j, we let 5.^,; = {y : f(y)(\,2j) = X(i,2j)^ and Tj,j ^ {y : /Cy)(i,2;+2) = ■^(i,2j+2))- We assume that the 
state before step A.j.2 is 



\x)\\tl/iS x,j,Tj,j))23 = \x)l 



2} 
V2" 



|0>3 



Note that the above state is the same as the one before W. j.2 in Algorithm INV. 

In step A.j.2, J„ is applied to the state. From Lemma ITTI and a probabilistic argument, we have the 
following. 
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Lemma 3.3 For each j, 



E[/(5,j,r,j)] < 



+ y{n). 



where the expectation is over x € {0, 1}" and y{n) is a negligible function in n. 

Proof. Since / is a permutation, by the definition of S xj, \S x,i\ = 2"~^->. Also, y € S xj for some x if and only 
ifynij) ^ X(i^2j)- Then, 

21-2 j ^ 

where the probability is taken over x € {0, 1}" uniformly. Since, for any (1/2P("\ l/;7(«))-pseudo identity, 

\X„\ 1 



M\Xn n Sx,j\] = \Sxj\ = 2"^^j, and 



2" pin) ' 



it holds that 



E 



where the expectation is over x € |0, 1)". By Lemma ITTl 
e[1{Sx,j,Txj)]<2E 



piny 



\XnnSxJ 



+ yin)<2JE 



\X„ n Sx,j\ 



+ y(«) 



^fpinj 



+ yin) 



for some negligible function y. 



From Lemma IT2l and Lemma l331 we obtain a vector v = vi + V2 where vi/|vi| is the unit vector corre- 
sponding to the state before step W.j.2 in Algorithm INV and V2 is a vector of expected length at most 2/ ^Jpin) 
orthogonal to vi. (For simplicity, we neglect a negligible term yin).) The vector V2 corresponds to an error that 
happens when /„ is applied before step A.j.3. 

Next, we consider the state after step A.j.3. We assume that the state after step A.j.3 is 



;c>i|tA(5,-+i,0)>23 = \x}i 



2j 
V2" 



|0>3 



Note that the above state is the same as the one after step W.j.2 in Algorithm INV. In order to analyze the effect 
of the application of after step A.j.3, we need another lemma similar to Lemma B31 (The proof is omitted 
since its proof is also similar.) 



Lemma 3.4 For each j, 



E[/(5,j+i,0)] < 



+ yin), 



where the expectation is over x € {0, 1)" and yin) is a negligible function in n. 

By a similar argument to the above, we obtain a vector v = vi + V2 where vi/|vi| is the unit vector corre- 
sponding to the state after step W.j.2 in Algorithm INV and V2 is a vector of expected length at most 2/ ^Jpiri) 
orthogonal to vi. (For simplicity, we neglect a negligible term yin).) The vector V2 corresponds to an error that 
happens when j}^ is applied after step A.j.3. 
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From the above analysis, we can see that after the completion of Algorithm av-INV on input x the final state 
become v(x) - v\(x) + V2(x) where v\{x) is parallel to 

|x>l|/-k^)>2|0>3 

and V2(x) is a vector orthogonal to vi. By Lemma ll4l and the linearity of expectation, we have 

„ n 1 In \ 

E[|v2(x)|] < 2 • - • —= = —= < 



2 

for qin) - p^^'^(n)l V2«, where the expectation is over x e {0, 1)". It follows that the number of x such that 
|v2(-x)l > 1 /^(") is at most 1" lq{n), i.e., av-INV can invert f{x) for at least 2"(1 - l/q{n)) x's with probabihty at 
least 1 - l/q^(n). □ 

□ 



4 Conclusion 

By giving a proof of the conjecture left by Kashefi, Nishimura and Vedral fW\, we have completed a neces- 
sary and sufficient condition of cryptographic quantum one-way permutations in terms of pseudo-identity and 
reflection operator in this paper. 

The necessary and sufficient condition of quantum one-way permutations can be regard as a universal test 
for the quantum one-wayness of permutations. As long as the authors know, this is, classical or quantum, 
the first result on the universality for one-way permutations, though the next bit test is a universal test for 
pseudorandom generators in the classical computation. We believe that our universal test for quantum one-way 
permutations may help to find good candidates for them, which are currently not known. 
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